Phishing scams have been an immense and growing problem, and they continue to grow in frequency and sophistication. In a phishing scam, a phisher sends a legitimate-looking email that appears to originate from a targeted website, e.g., a financial institution, a shopping site, or an internet Service Provider. The phisher sends the fraudulent email in an attempt to convince the recipient to enter personal or financial information, e.g., a credit card number, a bank account number, a password, or a pin number.
PassMark Security, Inc. provides an antiphishing system where back-end systems at the targeted sites allow their users to associate a personal picture with the site's password form. When the user enters his or her username at the targeted site, the site displays a password form that includes a personal picture that was supplied by the user for association with the site. Thus, the user expects a particular personal picture with a request for a password at a particular site. If the user does not see the personal picture with the request for a password, the user knows not to provide the password. PassMark's system allows the user to easily recognize a phishing scam.
One major drawback to this antiphishing system is that a phisher can proxy requests to the targeted site, thereby obtaining the personal picture associated with a given username. Thus, in some cases, the targeted site is vulnerable to a spoofing attack where a “man-in-the-middle” can obtain the user's picture and replay an attack to steal the user's information. PassMark's system also requires the targeted site to implement its technology. If the targeted site does not implement PassMark's technology, the user of the site does not benefit from the antiphishing system. Accordingly, there is a need for a mechanism that can be easily implemented and that allows a user to easily discriminate between legitimate and spoofed versions of a targeted website.